[11:05] <ahasenack> good morning
[13:03] <cpaelzer> jamespage: have you seen any 16.04 impact in regard to nested KVM when openstack models the CPU features (like bug 1797332)?
[14:14] <sdeziel> /usr/lib/ubuntu-release-upgrader/check-new-release makes outbound HTTPS connections which are blocked here. I'm looking for a way to have it use a HTTP proxy, any pointers?
[14:14] <teward> sdeziel: set your HTTP_PROXY, HTTPS_PROXY, etc. to your non-https-enabled proxy?
[14:15] <teward> and for apt too possibly it'd need it?
[14:15] <sdeziel> teward: I tried a bunch of variations of that and it didn't work
[14:15] <sdeziel> teward: I tried http(s)_proxy and HTTP(S)_PROXY env to no avail
[14:16] <sdeziel> teward: also set Acquire::http(s)::Proxy
[14:19] <sdeziel> I've also added the lower/upper cases vars to /etc/environment...
[14:19] <sdeziel> still a direct connection is attempted
[14:25] <teward> i'd have to go and do some testing, which OS?
[14:25] <teward> s/OS/version/
[14:26] <sdeziel> teward: bionic
[14:27] <teward> give me a minute to debug this evil thing with this other program and i'll do some tests?
[14:27] <teward> (sorry my system's being stupidly stupid today)
[14:28] <sdeziel> teward: I am just wondering what I'm doing wrong and we still have a long time before Bionic becomes EOL ;)
[14:29] <sdeziel> so I have ~ 5 years to address this
[14:29] <teward> :P
[14:31] <plm> Hi all!
[14:31] <ahasenack> rbasak: I was looking at https://code.launchpad.net/~tdaitx/ubuntu/+source/initramfs-tools/+git/initramfs-tools/+merge/355190 and that was already gathered by the importer
[14:31] <ahasenack> rbasak: the mp is still in "needs review" state
[14:32] <rbasak> ahasenack: presumably no upload tag was supplied?
[14:32] <ahasenack> rbasak: would that be because a) it was never switched to "approved"; and b) the upload tag wasn't pushed?
[14:32] <ahasenack> are both of these conditions required, or just the latter perhaps? Do you remember?
[14:33] <ahasenack> rbasak: and, I think it's safe to switch it to "merged", right? I just checked out xenial-devel and it has that code merged via the importer
[14:33] <rbasak> Only the latter is required.
[14:33] <plm> TJ-: Hey! How are you?
[14:34] <plm> TJ-: Did you success making the script?
[14:34] <rbasak> The importer doesn't actually touch any MPs. Launchpad is set to detect when an MP's proposed branch tip hits the target branch and automatically marks it as merged.
[14:34] <rbasak> But that'll only happen if the importer adopted the branch which only happens currently if the upload tag was pushed.
[14:34] <TJ-> plm: working on it right now
[14:35] <ahasenack> rbasak: ah, gotcha
[14:35] <TJ-> sdeziel: there's a workaround for the HTTPS issue; simply change the protocol to HTTP in /etc/update-manager/meta-release  - it is only recently (due to me!) the protocol was changed to support HTTPS
[14:35] <ahasenack> makes sense
[14:36] <ahasenack> cpaelzer: libvirt question, before I did in deep maybe you have a hint
[14:36] <sdeziel> TJ-: that's no fix :P just a workaround
[14:36] <TJ-> sdeziel: well we lived with it for years :)
[14:36] <ahasenack> cpaelzer: bind9 monitors nic changes and detects when a new nic comes up, and starts listening on it
[14:36] <sdeziel> TJ-: any idea why the proxy vars are ignored?
[14:36] <ahasenack> cpaelzer: for some reason, that isn't working when a libvirt bridge is brought up. I have to restart bind9, even though it detected the new nic and said it was listening on it
[14:37] <ahasenack> cpaelzer: tcpdump also shows no traffic hitting that nic when I do a dig @<nic-ip> test. Only after I restart bind
[14:37] <ahasenack> cpaelzer: a normal bridge, brought up with "brctl addbr br0; ifconfig br0 ...." works, bind listens on it just fine
[14:38] <ahasenack> cpaelzer: any idea what could be going on? I thought maybe firewall rules, but I can't imagine how a bind restart would make it all work
[14:40] <plm> TJ-: gfreat =D
[14:40] <plm> *great
[14:41] <TJ-> sdeziel: I'd guess from looking at the d-r-u code it is related to "from UpdateManager.Core.utils import init_proxy"
[14:42] <cpaelzer> ahasenack: you are looking at the usual default network configuration?
[14:42] <sdeziel> TJ-: thanks, I'll dig in
[14:43] <ahasenack> cpaelzer: yeah, the 192.168.122.0/24 that is brought up
[14:43] <cpaelzer> ahasenack: the only rules that has are for the nat forwarding
[14:43] <ahasenack> or 192.168.121.0/24, if there is a conflict, and so on
[14:43] <cpaelzer> and as you said, a bind restart couldn't fix that anyway
[14:43] <cpaelzer> puzzling for sure
[14:43] <cpaelzer> hmm
[14:44] <TJ-> sdeziel: the changelog for update-manager has "* Add support for HTTPS proxies; this breaks UpdateManager.Core.utils.init_proxy()"
[14:44] <ahasenack> nat, hm, I wonder if bind was rejecting it because of the source address or something. But again, the restart making it work puzzles me
[14:44] <ahasenack> I'll keep digging
[14:44] <cpaelzer> ahasenack: you said bind realizes that it got added and pretends to listen on it
[14:44] <ahasenack> yes
[14:44] <cpaelzer> how do you brin gup that libvirt network?
[14:44] <cpaelzer> net-start?
[14:45] <ahasenack> tried that, and also right after install, since postinst brings it up
[14:45] <ahasenack> nic hotplugging works fine as well
[14:45] <ahasenack> via virt-manager
[14:45] <ahasenack> so far I narrowed it down to this libvirt bridge only
[14:48] <cpaelzer> ahasenack: conflicting dns service?
[14:48] <TJ-> sdeziel: maybe juliank can tell us how it gets broken; I can't see why from the code of UpdateManager/Core/utils.py
[14:48] <ahasenack> hmm
[14:48] <ahasenack> cpaelzer: you mean with dnsmasq
[14:48] <cpaelzer> something like that
[14:48] <ahasenack> that's a good hint
[14:48] <cpaelzer> breaking the init
[14:48] <cpaelzer> and the latter restart might succeed (unsure why)
[14:48] <cpaelzer> but worth to keep an eye on when debugging
[14:49] <ahasenack> I need to switch the kernel in this vm
[14:49] <ahasenack> the -virtual kernel has no support for iptables
[14:50] <cpaelzer> dnsmasq certainly has 192.168.122.1:53 bound on a default install
[14:50] <cpaelzer> to provide services to guests
[14:50] <cpaelzer> is that enough as a working theory until falsified ahasenack?
[14:50] <ahasenack> cpaelzer: it is, thanks
[14:51]  * cpaelzer stops brain-brabble to IRC link then
[14:54] <cpaelzer> ahasenack: FYI you can try <dns enable='no'/> in the network definition
[14:54] <cpaelzer> even no config would otherwise spawn a default dnsmasq
[15:03] <ahasenack> cpaelzer: this is the other error I'm getting:
[15:03] <ahasenack> https://pastebin.ubuntu.com/p/BkWyF5RbWq/
[15:03] <ahasenack> I wonder if the cause is line 7
[15:03] <ahasenack> line 9 I thought was because of the virtual kernel: iptables -L wouldn't work
[15:03] <ahasenack> but it is working now
[15:04] <ahasenack> let me try bionic
[15:05] <ahasenack> bionic works just fine
[15:10] <ahasenack> hm, I installed using --no-install-recommends
[15:11]  * ahasenack lets recommends loose
[15:11] <ahasenack> ok, that fixed it
[15:12] <ahasenack> cpaelzer: you were right, it was dnsmasq \o/
[15:12] <ahasenack> checkout who is listening on port 53 before and after the bind9 restart: https://pastebin.ubuntu.com/p/T9847Z8rSN/
[15:12] <ahasenack> on 192.168.122.1
[18:11] <teward> rbasak: sarnold: anyone else who cares: I have multiple requests in email that led to the creation of #1797897 which requests enablement of --with-compat so third party dynamic NGINX modules can be included in local installations without having to be repackaged in for Ubuntu.
[18:11] <teward> for the PPAs it's going to be enabled, but I would like additional inputs on for *Ubuntu* whether it should be enabled.
[18:11] <teward> i think we had a discussion on this before and it led nowhere?
[18:12] <teward> i forget who else was included on the discussion :|
[18:12] <teward> but it'd be needed for people to just add the already built .so into their 'versions' of nginx without having to install additional packages.
[18:13] <teward> (the nginx.org repositories build with --with-compat, not sure why Debian doesn't, though)
[18:13] <teward> (and this wouldn't get in until D-series, I forget what its codename is?)
[18:13] <sarnold> teward: hrm, I'm confused.. here it sounds like --with-company lets folks package their addons separately, but the bug text gives the opposite impression?
[18:19] <teward> sarnold: it's confusing I know
[18:20] <teward> let me dig up the post about it all on nginx.org
[18:21] <teward> sarnold: https://forum.nginx.org/read.php?29,270210,270213#msg-270213 and http://mailman.nginx.org/pipermail/nginx-devel/2018-May/011119.html where I make more inquiries about what it does
[18:21] <teward> sarnold: this WOULD let people compile third party NGINX plugins and use them without first having to compile alongside the existing source code
[18:21] <teward> and they could then theoretically install binary-only packages that'd interact with an existing nginx build
[18:21] <teward> but i had a recent uptick in the requests
[18:22] <teward> literally ten in the past two days from 10 separate individuals
[18:22] <teward> so it's a discussion back on the table
[18:22] <teward> sarnold: NGINX's devels suggest it should be enabled for distros
[18:22] <teward> and nginx.org's repos for NGINX have it, but the question is whether we should
[18:22] <teward> and i pinged you because of the security concern.
[18:22] <teward> --with-compat, not --with-company, by the way
[18:22] <teward> (autocomplete hates you I assume, sarnold?P
[18:23] <sarnold> teward: heh, no, that's just my stupid fingers
[18:23] <sarnold> damn things think they know best
[18:23] <sarnold> the word 'internal' just happens to have several backspaces in it ;)
[18:23] <teward> :P
[18:25] <teward> sarnold: TL;DR, if I have a copy of, say modsecurity for NGINX compiled dynamically, I could include that in a binary build of NGINX separately from the packaging if the nginx binaries were built with --with-compat
[18:25] <teward> *we* wouldn't have to worry about the security of that module since it doesn't sit in the Ubuntu repos from a Sec Team perspective
[18:25] <teward> and it'd be the case of "End User Stupidity" if they fubar their system with a bad plugin
[18:25] <teward> ... which is *technically* why we don't ahve any new modules in the packages in a long time :P
[18:25] <sarnold> teward: --with-compat sounds like a win to me
[18:26] <teward> sarnold: that's what I think, not sure why Debain never introduced it, even though nginx upstream did.
[18:26] <teward> but i thought i'd ask before I start poking.
[18:26] <teward> I could follow up on the ML but I think i brought this up before...
[18:27] <teward> bleh it's missing
[18:27] <teward> sarnold: i have no issues enabling it, but I thought I'd ask you and rbasak and {anyone else who cares} first before I start planning it
[18:31] <teward> sarnold: if you wish to make a comment from the Ubuntu package perspective https://bugs.launchpad.net/nginx/+bug/1797897 is the tracker for both the PPA and the Ubuntu package, since it's the same issue, but it's not going to eb done 'quickly' for Ubuntu.
[18:32] <sarnold> ah good idea
[18:32] <teward> sarnold: what's D-series named again?
[18:32] <teward> i forget.
[18:32] <teward> i should be shot for forgetting but eh
[18:35] <teward> sarnold: i put my extended description into the bug description as well
[18:35] <teward> or comments rather
[18:35] <teward> since I wrote the initial bug while caffeine was still taking effect in my system :P
[18:42] <sarnold> :D
[19:16] <lucidguy> I'm looking for a new method to mas deploy bare metal servers.  Currently doing pxeboot with ubuntu-installer/preesed.  Need something more modern, for larger deployments.  I'm aware of Ubuntu's MAAS, Brightmaster, even thought of going pxeboot clonezilla.  Recommendations?
[19:18] <sarnold> lucidguy: I've heard folks happy with both maas and fai-server -- never heard of brightmaster
[19:24] <lucidguy> sarnold: Thanks for response
[20:26] <tomreyn> lucidguy: i like foreman